MWC 2016: IoT Security ‘Is A Mess’ Says Sophos’ James Lyne

Michael Moore joined TechWeek Europe in January 2014 as a trainee before graduating to Reporter later that year. He covers a wide range of topics, including but not limited to mobile devices, wearable tech, the Internet of Things, and financial technology.

Sophos’ James Lyne talks about the ‘mess’ that is IoT security and why safeguarding smartphones is crucial

As the world around us becomes ever more connected and we put more and more of our personal lives on to mobile devices, the questions surrounding security become ever more important.

With many people unconsciously still treating their smartphones as a basic device that can only make calls and send texts, and not as a highly-powered connected device that contains reams of personal information, just how worried should users be about the security of their device?

Sensitive

“We’re at a point where our smartphone contains most sensitive information than our PC,” James Lyne, global head of security research at Sophos told TechWeekEurope at Mobile World Congress (MWC) in Barcelona.

“If you talk to users about their feelings for (mobile) devices…the trust levels are extremely high compared to traditional computers – and there’s a very strong feeling of trust towards app stores.

“But when you actually analyse whether that trust is deserved, it’s quite fragile, and we’ve got users expecting one thing, but receiving another – and that gap is only widening.”

He said much of this is down to developers being too focused on a ‘build fast, build hard, ship’ mentality, as many consumers will appreciate new and shiny features over improved security precautions.

“It’s probably not a huge surprise…but maybe it’s time some of those companies start doubling back and asking themselves questions about security,” he explained.

“It’s important that developers continue to focus on secure coding practices – it’s been said a lot, but building security in as you go is a hell of a lot cheaper than retrospectively adding it in later…we’re building some serious ‘tech debt’ in this industry, which at some point, someone is going to have to pay a price for.”

Lyne highlighted a “glacial” change in security awareness among mobile users, as many people remain unaware of the best way to stay protected whilst using their devices, preferring instead to safeguard their work or personal computers.

“I’m not saying that your scale of danger from malicious code on an iPhone is on the same scale as a PC – that’s absolutely not the case,” Lyne said. “But there are small kinks in the armour that are very concerning.

“(Smartphones) have grown so quickly from a simple black box that you can use to make calls and nothing goes wrong, and there’s not a huge risk, to a device that in some cases even has access to more information than a laptop….and our psychological attitude to this device has not shifted as consumers, or small businesses – so our alertness to the fact that we may be attacked is way less.”

Messy

As companies race to be the first to release a smart, connected, product, from fridges to kettles to socks, this race to launch can often mean that security is left behind. This is a worrying thought when it concerns a device that can gain access to some of your personal data, and Lyne is nothing but blunt when it comes to the current state of the IoT security market.

“Everything is bad.” he said. “The best way to summarise [the current state of IoT security] is – it’s a mess.”

“Many of the IoT devices I looked at were tragic, embarrassing and negligent,” he says, “It makes you question, who the hell is writing these things?”

Fortunately, the average consumer is not immediately under threat from these lax attitudes, as many connected IoT devices are pretty uninteresting to attackers – at least for the time being.

However, this perspective may soon change as more and more devices are sold, with Lyne pushing for the industry to work out the kinks and begin properly installing security precautions whilst many IoT devices are seen as gimmicks or toys.

Only this, coupled with a growing consumer awareness about possibly low security measures, can help spur on the IT industry into ensuring the IoT remains safe for all.

“When I see the level of investment that some cybercriminals put into modern-day exploits against the browser, against Microsoft’s operating systems, that have invested so heavily in security – it’s pretty easy to see that as soon as it becomes interesting, we’re going to get a very nasty data breach,” Lyne warned